CVE-2025-70795
STProcessMonitor.sys — process termination primitive in Safetica driver
Summary
| Field | Value |
|---|---|
| Driver | STProcessMonitor.sys (Safetica) |
| Vulnerability Class | Process Termination (BYOVD) |
| Exploited ITW | No |
| Vendor | Safetica (DLP solution) |
Root Cause
The Safetica process monitor driver exposes an IOCTL that terminates arbitrary processes with no caller validation. Any user-mode process can open the device and kill protected processes including EDR/AV.
Exploitation
The attacker loads the signed Safetica driver and sends process termination IOCTLs to kill security products before deploying payloads.
Exploitation Primitive
Load signed STProcessMonitor.sys → open device handle
→ send process termination IOCTL → kill EDR/AV